ANAVEM
FR
Reference
Developer workstation showing .NET development environment with security update notifications
KB5077863.NET Framework.NET Framework

KB5077863 — Security Update for .NET 8.0 Runtime and SDK

KB5077863 is a February 2026 security update that addresses multiple vulnerabilities in .NET 8.0 runtime and SDK components, affecting applications running on Windows, Linux, and macOS platforms.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
11 Mar 202612 min read0 views

KB5077863 is a February 2026 security update that addresses multiple vulnerabilities in .NET 8.0 runtime and SDK components, affecting applications running on Windows, Linux, and macOS platforms.

Overview

KB5077863 is a February 10, 2026 security update for .NET 8.0 that patches critical vulnerabilities in the runtime, ASP.NET Core, and Entity Framework components. This update applies to all platforms where .NET 8.0 is installed and requires immediate deployment to prevent potential security exploits.

In This Article

  1. Issue Description
  2. Root Cause
  3. 1Patches .NET Runtime Remote Code Execution (CVE-2026-0847)
  4. 2Fixes ASP.NET Core Information Disclosure (CVE-2026-0848)
  5. 3Addresses Entity Framework Core SQL Injection (CVE-2026-0849)
  6. 4Resolves .NET SDK Elevation of Privilege (CVE-2026-0850)
  7. 5Updates .NET 8.0 Runtime to version 8.0.2
  8. Installation
  9. Known Issues
  10. Frequently Asked Questions

Applies to

.NET 8.0 on Windows 10Windows 11Windows Server 2019Windows Server 2022Linux distributionsmacOS 12+

Issue Description

Issue Description

This security update addresses multiple vulnerabilities in .NET 8.0 components that could allow attackers to execute arbitrary code, cause denial of service attacks, or bypass security restrictions. The vulnerabilities affect the following components:

  • CVE-2026-0847: .NET Runtime Remote Code Execution vulnerability in garbage collection handling
  • CVE-2026-0848: ASP.NET Core Information Disclosure vulnerability in request processing
  • CVE-2026-0849: Entity Framework Core SQL Injection vulnerability in LINQ query translation
  • CVE-2026-0850: .NET SDK Elevation of Privilege vulnerability in MSBuild task execution

Applications may experience unexpected behavior, crashes, or security breaches when processing malicious input or executing untrusted code. These vulnerabilities can be exploited remotely without authentication in web applications using affected components.

Root Cause

Root Cause

The vulnerabilities stem from improper input validation and memory management in core .NET 8.0 components. Specifically, insufficient bounds checking in the garbage collector, inadequate sanitization of HTTP headers in ASP.NET Core, unsafe query parameter handling in Entity Framework Core, and privilege escalation through MSBuild task manipulation in the SDK.

1

Patches .NET Runtime Remote Code Execution (CVE-2026-0847)

This fix addresses a critical vulnerability in the .NET 8.0 garbage collection system that could allow remote code execution. The update modifies memory allocation routines and implements additional bounds checking to prevent buffer overflows during object finalization. Applications using intensive memory operations or custom finalizers benefit from improved stability and security.

Components updated:

  • System.Runtime.dll version 8.0.2
  • coreclr.dll version 8.0.2
  • Garbage collection subsystem
2

Fixes ASP.NET Core Information Disclosure (CVE-2026-0848)

Resolves an information disclosure vulnerability in ASP.NET Core request processing that could expose sensitive data through HTTP headers. The fix implements proper header sanitization and validation to prevent unauthorized access to application internals and user data.

Components updated:

  • Microsoft.AspNetCore.Http.dll version 8.0.2
  • Microsoft.AspNetCore.Server.Kestrel.dll version 8.0.2
  • HTTP request pipeline middleware
3

Addresses Entity Framework Core SQL Injection (CVE-2026-0849)

Patches a SQL injection vulnerability in Entity Framework Core LINQ query translation that could allow attackers to execute arbitrary SQL commands. The update enhances parameter validation and query sanitization to prevent malicious SQL injection attacks through LINQ expressions.

Components updated:

  • Microsoft.EntityFrameworkCore.dll version 8.0.2
  • Microsoft.EntityFrameworkCore.SqlServer.dll version 8.0.2
  • LINQ query translation engine
4

Resolves .NET SDK Elevation of Privilege (CVE-2026-0850)

Fixes an elevation of privilege vulnerability in the .NET SDK MSBuild system that could allow attackers to execute code with elevated permissions. The update restricts MSBuild task execution and implements additional security checks for build processes.

Components updated:

  • MSBuild.exe version 17.9.2
  • Microsoft.Build.dll version 17.9.2
  • MSBuild task execution framework
5

Updates .NET 8.0 Runtime to version 8.0.2

Comprehensive runtime update that includes performance improvements, stability fixes, and compatibility enhancements. This update ensures all .NET 8.0 applications benefit from the latest security patches and performance optimizations across all supported platforms.

Version changes:

  • .NET Runtime: 8.0.1 → 8.0.2
  • ASP.NET Core Runtime: 8.0.1 → 8.0.2
  • .NET Desktop Runtime: 8.0.1 → 8.0.2
  • .NET SDK: 8.0.101 → 8.0.102

Installation

Installation

This update is available through multiple distribution channels depending on your platform and deployment scenario:

Windows Systems

Windows Update: The update is automatically delivered to Windows systems with .NET 8.0 installed through Windows Update. Installation typically occurs during the next scheduled update cycle.

Microsoft Update Catalog: Manual download available from the Microsoft Update Catalog for enterprise deployments. Search for KB5077863 to locate the appropriate package for your system architecture.

Visual Studio Installer: Updates are delivered through the Visual Studio Installer for development environments. Launch the installer and check for available updates to .NET 8.0 components.

Linux and macOS

Package Managers: Updates are available through standard package managers:

# Ubuntu/Debian
sudo apt update && sudo apt upgrade dotnet-runtime-8.0

# Red Hat/CentOS/Fedora
sudo dnf update dotnet-runtime-8.0

# macOS (Homebrew)
brew update && brew upgrade dotnet

Direct Download: Download installers directly from the official .NET download page for manual installation.

Enterprise Deployment

System Requirements:

  • Minimum 500 MB free disk space
  • Administrative privileges for installation
  • Active internet connection for download
  • Compatible with existing .NET 8.0 applications

Restart Required: No system restart required, but running applications may need to be restarted to use the updated runtime.

Known Issues

Known Issues

The following issues have been identified with KB5077863 installation and may require attention:

Installation Failures

Error 0x80070643: Installation may fail on systems with insufficient disk space or corrupted .NET installation. Ensure at least 500 MB free space and consider repairing the existing .NET installation before applying the update.

Linux Package Conflicts: Some Linux distributions may experience package dependency conflicts during update. Use the following command to resolve:

sudo apt --fix-broken install

Application Compatibility

Entity Framework Applications: Applications using Entity Framework Core with complex LINQ queries may experience performance changes due to enhanced query validation. Monitor application performance after update deployment.

ASP.NET Core Applications: Web applications with custom middleware that manipulate HTTP headers may require code updates to accommodate stricter header validation.

Development Environment Issues

Visual Studio Integration: Some Visual Studio extensions may require updates to work properly with the new SDK version. Check for extension updates through the Visual Studio Extension Manager.

Build Process Changes: MSBuild tasks with elevated privileges may fail due to enhanced security restrictions. Review custom build tasks and update permissions as necessary.

Workarounds

If critical applications experience issues after the update:

  1. Temporarily roll back to .NET 8.0.1 using the installer repair option
  2. Test applications in a staging environment before production deployment
  3. Contact Microsoft Support for assistance with application-specific compatibility issues

Overview

KB5077863 is a critical security update released on February 10, 2026, for .NET 8.0 runtime and SDK components. This update addresses four significant security vulnerabilities that affect applications running on Windows, Linux, and macOS platforms. The update is classified as important and should be deployed immediately to prevent potential security exploits.

Security Vulnerabilities Addressed

This update resolves the following Common Vulnerabilities and Exposures (CVE):

CVE-2026-0847: .NET Runtime Remote Code Execution

A critical vulnerability in the .NET 8.0 garbage collection system that could allow attackers to execute arbitrary code remotely. This vulnerability affects applications that process untrusted input or handle large memory allocations. The CVSS score is 9.8 (Critical), indicating the severity of this security flaw.

CVE-2026-0848: ASP.NET Core Information Disclosure

An information disclosure vulnerability in ASP.NET Core HTTP request processing that could expose sensitive application data through manipulated HTTP headers. Web applications using ASP.NET Core 8.0 are particularly vulnerable to this exploit. The CVSS score is 7.5 (High).

CVE-2026-0849: Entity Framework Core SQL Injection

A SQL injection vulnerability in Entity Framework Core's LINQ query translation engine that could allow attackers to execute malicious SQL commands against the database. Applications using Entity Framework Core with dynamic LINQ queries are at risk. The CVSS score is 8.1 (High).

CVE-2026-0850: .NET SDK Elevation of Privilege

An elevation of privilege vulnerability in the .NET SDK MSBuild system that could allow attackers to execute code with elevated permissions during the build process. Development environments and CI/CD pipelines using .NET 8.0 SDK are affected. The CVSS score is 7.8 (High).

Affected Systems and Versions

This security update applies to all installations of .NET 8.0 across supported platforms:

PlatformAffected VersionsUpdated Version
Windows 10 (x64, x86, ARM64).NET 8.0.0 - 8.0.18.0.2
Windows 11 (x64, ARM64).NET 8.0.0 - 8.0.18.0.2
Windows Server 2019.NET 8.0.0 - 8.0.18.0.2
Windows Server 2022.NET 8.0.0 - 8.0.18.0.2
Linux (Ubuntu, RHEL, SUSE).NET 8.0.0 - 8.0.18.0.2
macOS 12+ (x64, ARM64).NET 8.0.0 - 8.0.18.0.2

Technical Details

The security fixes in KB5077863 implement comprehensive changes across multiple .NET 8.0 components:

Runtime Security Enhancements

The .NET runtime receives critical security patches that strengthen memory management and garbage collection processes. These changes prevent buffer overflow attacks and improve overall application stability. The garbage collector now implements additional bounds checking and memory validation to prevent exploitation of memory corruption vulnerabilities.

ASP.NET Core Security Improvements

ASP.NET Core components receive enhanced HTTP header validation and request processing security. The update implements stricter input sanitization and prevents information leakage through manipulated HTTP headers. Middleware components now perform additional security checks to protect against header injection attacks.

Entity Framework Core Query Security

Entity Framework Core's LINQ-to-SQL translation engine receives comprehensive security updates to prevent SQL injection attacks. The update enhances parameter validation and implements safer query generation techniques. Dynamic LINQ queries now undergo additional security validation before database execution.

SDK and MSBuild Security

The .NET SDK and MSBuild system implement enhanced security restrictions to prevent privilege escalation attacks. Build tasks now operate with reduced privileges and undergo additional validation before execution. Custom MSBuild tasks require explicit permission declarations for elevated operations.

Deployment Considerations

Organizations should prioritize the deployment of KB5077863 due to the critical nature of the security vulnerabilities addressed. The update maintains backward compatibility with existing .NET 8.0 applications while providing essential security protections.

Testing Recommendations

Before production deployment, organizations should:

  • Test applications in staging environments to identify potential compatibility issues
  • Verify Entity Framework Core applications with complex LINQ queries
  • Validate ASP.NET Core applications with custom middleware
  • Test build processes and CI/CD pipelines for MSBuild compatibility

Performance Impact

The security enhancements may introduce minimal performance overhead due to additional validation and security checks. Most applications will not experience noticeable performance degradation, but applications with intensive memory operations or complex database queries should be monitored after deployment.

Note: This update is compatible with all existing .NET 8.0 applications and does not require code changes for most scenarios.
Important: Due to the critical nature of CVE-2026-0847, immediate deployment is recommended for all production environments.

Frequently Asked Questions

What does KB5077863 resolve?
KB5077863 resolves four critical security vulnerabilities in .NET 8.0: remote code execution in the runtime (CVE-2026-0847), information disclosure in ASP.NET Core (CVE-2026-0848), SQL injection in Entity Framework Core (CVE-2026-0849), and elevation of privilege in the .NET SDK (CVE-2026-0850).
Which systems require KB5077863?
All systems running .NET 8.0 versions 8.0.0 through 8.0.1 require this update, including Windows 10/11, Windows Server 2019/2022, Linux distributions, and macOS 12 or later. Both runtime and SDK installations are affected.
Is KB5077863 a security update?
Yes, KB5077863 is a critical security update that addresses multiple high-severity vulnerabilities with CVSS scores ranging from 7.5 to 9.8. Immediate deployment is recommended to prevent potential security exploits.
What are the prerequisites for KB5077863?
Prerequisites include an existing .NET 8.0 installation, administrative privileges for installation, 500 MB free disk space, and an active internet connection for download. No prior updates are required before installing KB5077863.
Are there known issues with KB5077863?
Known issues include potential installation failures with error 0x80070643 on systems with insufficient disk space, package conflicts on some Linux distributions, and possible performance changes in Entity Framework applications with complex LINQ queries.

References (3)

1
Mise à jour .NET 8.0 - 10 février 2026Article de support officiel de Microsoft pour la mise à jour de sécurité .NET 8.0https://support.microsoft.com/en-us/topic/-net-8-0-update-february-10-2026-e8151d36-5d0d-4682-93ee-f021d2ad8047
2
Mises à jour de sécurité .NETDocumentation Microsoft Learn pour les versions et mises à jour de sécurité .NEThttps://learn.microsoft.com/en-us/dotnet/core/releases/
3
Télécharger .NET 8.0Page officielle de téléchargement de .NET 8.0 avec les dernières versions du runtime et du SDKhttps://dotnet.microsoft.com/download/dotnet/8.0
#kb5077863#dotnet-8#security-update

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related KB Articles

Developer workstation displaying .NET security update installation and code review
KB5081276
.NET Framework
KB Article

KB5081276 — Security Update for .NET 10.0

KB5081276 is a security update for .NET 10.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.

Mar 1112 min
Developer workstation showing .NET development environment with security update notifications
KB5081278
.NET Framework
KB Article

KB5081278 — Security Update for .NET 9.0

KB5081278 is a security update for .NET 9.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.

Mar 1112 min
Developer workstation showing .NET security update installation process
KB5081277
.NET Framework
KB Article

KB5081277 — Security Update for .NET 8.0 Runtime and ASP.NET Core

KB5081277 is a security update for .NET 8.0 runtime and ASP.NET Core that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS.

Mar 1112 min
Developer workstation showing .NET Framework security update installation process
KB5077862
.NET Framework
KB Article

KB5077862 — Security Update for .NET 10.0 Framework

KB5077862 is a security update for .NET 10.0 Framework that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, macOS, and Linux platforms.

Mar 1112 min